[state of the internet] / SECURITY / THREAT ADVISORY. Threat Advisory: BillGates Botnet
|
|
- Ginger Higgins
- 8 years ago
- Views:
Transcription
1 Issue Date: Risk Factor- High TLP: WHITE Threat Advisory: BillGates Botnet 1.0 / OVERVIEW / Akamai s Security Intelligence Research Team (SIRT) continues to see the BillGates trojan/bot family of malware being used to launch DDoS attacks. Attackers who control the malware first disclosed on a Russian IT website in February 2014 can gain full control of the infected systems. The attack vectors available within the toolkit include: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood. This malware is an update and reuse of the Elknot s malware source code. It s been detected in the wild for a few years now. Over the years, the botnets composed of it have grown, and today s botnets are launching significantly large attacks. Like the XOR botnet, this malware is believed to be of Asian origin. The attackers are using the same methods for infection, which are primarily SSH brute force attempts for root login credentials (previously it was reported that infection methods include a vulnerability in ElasticSearch Java VM). The botnet targets are the same as the XOR botnet, most of which are hosted in Asia and online gaming institutions. Akamai SIRT observed inactivity from the XOR C2 back in Q4 2015, which was publicly announced and believed to be part of a takedown operation. Once that occurred, the attackers started using the BillGates Botnet to launch attacks against the same target list. This advisory includes validated DDoS attack campaigns and an example of this botnet being used as one of the sources, along with the use of a booter site. We also cover the detection of malware infections, identifying attack patterns from this botnet and how to clean an infected machine. 1
2 1.1 / NOT ONE, BUT MANY BOTNETS / The malware sample is generated by what s called a Builder a piece of software that creates a variant of the actual BillGates malware. This allows anybody to build their own customized version of the malware, with their own C2 they control, and start infecting machines thus creating their own botnet. Because of this process, there are many active BillGates botnets operated by different individuals, attacking different targets across the globe. A little over a year ago, the Malware Must Die team released a screen recording of how anybody can use the builder to generate their own version of the malware as well as spreading methods. 2.0 / TOOLKIT ANALYSIS / Upon infection, the malware is capable of launching DDoS attacks, opening ports and services, and nearly taking full control over the infected system. The malware consists of multiple stages, each responsible for certain tasks within its operation. The executed binary initially does two anti-debugging/anti-tampering checks. It compares its size with a preset value; if both values do not match, it simply stops there. The next check is by searching for the gdb string within its parent process full execution path. This ensures the malware was not started inside the GDB debugger. The next step of its execution is to decrypt its own configuration using the RSA algorithm. The format for the configuration is <C2-ip>:<C2-port>:<Is Listener?>:<Is Service?>:<Campaign Name>:<Enable Backdoor?> The list below includes each configuration parameter and associated global variable: Configuration parameter <C2-ip> <C2-port> <Is Listener Boolean> <Is Service Boolean> <Campaign Name> <Enable Backdoor Boolean> Global Variable Name g_strconntgt g_igatsports g_igatsisfx g_iisservice g_strforcenote g_idobackdoor Figure 1: Configuration parameter table 2
3 Once the malware has decrypted its configuration file, execution jumps directly to the malware s main functionality, which first checks the value of the g_gatestypes global variable. Based on the value, the malware performs one of the following functions. The value is based on the filename and path the malware is executed from. g_gatestypes value Function Filename 0 MainMonitor() /usr/bin/.sshd 1 MainBeikong() Anything else 2 MainBackdoor() /usr/bin/bsd-port/getty 3 MainSystool() /bin/netstat /usr/sbin/ps /usr/sbin/ss /bin/lsof /bin/ps /usr/bin/lsof /usr/bin/ps /bin/ss /usr/bin/netst at /usr/sbin/lsof /usr/sbin/ps /usr/sbin/ss Figure 2: The 4 main functions executed based on associated file path Let s review each of the 4 functions since they play a specific role in the process. The order in which they are explained matches the malware execution flow sequence. 2.1 / GATE 1, MAINBEIKONG / Since the initial infection of the malware will start with a random filename, the malware will enter this stage first. In this stage, the malware first checks if the malware is already running on the current machine by checking if the file /tmp/bill.lod exists. This file contains the process ID of the malicious instance of the already running process. If it finds an active process, it kills the process id and replaces the file s content with its current running-process id. Next it checks the value of g_isservice global variable (derived from the previously decrypted configuration), and if it s 1, it configures persistence on the system by creating the following startup scripts: 1. /etc/init.d/dbsecurityspt 2. /etc/rc1.d/s97dbsecurityspt 3. /etc/rc2.d/s97dbsecurityspt 4. /etc/rc3.d/s97dbsecurityspt 5. /etc/rc4.d/s97dbsecurityspt 6. /etc/rc5.d/s97dbsecurityspt The contents of DbSecuritySpt and all of the files in the rc.d directories are symbolic links to /etc/init.d/dbsecurityspt. 3
4 #!/bin/bash /<full-path-to-malware>/<malware-filename> Figure 3: Contents of DbSecuritySpt script After the persistence configuration is complete, the malware checks the value of the g_idobackdoor global variable. If set to 1, it checks if files /usr/bin/bsd-port/ getty.lock and /usr/bin/bsd-port/udev.lock exist and kills the process ID contained inside these files. Next, it copies itself to /usr/bin/bsd-port/getty and /usr/bin/bsd-port/.sshd, which it executes via a call to system(). It then pauses the current process until the child process has exited; at that point, it invokes the function MainProcess()explained later. 2.2 / GATE 2, MAINBACKDOOR / Under this instance of the malware, it checks if file / usr/bin/bsd-port/getty.lock exists and if there is an already running process with the process id that matches the content of that file. If this proves true, it simply exits; otherwise, it continues setting up more persistence measures and corrupting vital system tools. For persistence of the Gate 2 instance of the malware, it creates the file /etc/init.d/ selinux with the following content: #!/bin/bash /usr/bin/bsd-port/getty Figure 4: Contents of /etc/init.d/selinux file It also creates the following symbolic links to it: /etc/rc1.d/s99selinux /etc/rc2.d/s99selinux /etc/rc3.d/s99selinux /etc/rc4.d/s99selinux /etc/rc5.d/s99selinux Figure 5: Symbolic links pointed at /etc/init.d/selinux Each link ensures the malware will be included in the startup processes upon boot for each of the Linux run levels. 4
5 It also checks if any of the following system tools exist: /bin/netstat /bin/lsof /bin/ps /bin/ss /usr/bin/netstat /usr/bin/lsof /usr/bin/ps /usr/bin/ss /usr/sbin/netstat /usr/sbin/lsof /usr/sbin/ps /usr/sbin/ss Figure 6: List of system tools the malware checks for on the infected machine It replaces each tool in the above list with a copy of itself, and it moves the origin files to the /usr/bin/dpkgd/ directory. It also sets the appropriate permissions required to ensure they can be executed as normal. The malware then proceeds to the function MainProcess(). 2.3 / GATE 0, MAINMONITOR / If the process was started via the.sshd file, the malware executes stage Gate 0. This phase first reads the file /tmp/notify.file that was created by Gate 1, which contains the full path to the original executable. This path is then used to initialize a new thread object which activates CThreadMonGate::MainProcess, which simply monitors if any process currently has an active lock on the file /tmp/gates. lock, and repeats this check every 60 seconds. If this check fails, it simply reruns the main binary to restart the infection. Essentially, this process is safe-guarding the malware s main process, ensuring it is alive and well. 2.4 / GATE 3, MAINSYSTOOL / This phase is responsible for the stealthy and continued operation of the malware. Previously in Gate 2, some core system tools were moved by the malware, with copies of itself dropped in their place. Gate 3 acts as a type of pass-thru to those relocated binaries and is responsible for processing and removing indications of compromise from the original binaries returned output. It does this by checking its own execution path: if it matches one of the replaced core system tools, it proceeds to execute the original utility using its new path and parsing the returned output line by line. If specific keywords are detected on each line, such as /usr/bin/bsd-port or a specific port number, it simply scrubs this line stopping it from being output to the user. 2.5 / MAIN PROCESS / Once all of the initial phases have completed and the malware has rooted itself into the system, the malware runs the MainProcess function. This is a multi-threaded stage responsible for opening communication with the C2 server(s), parsing commands, and launching DDoS attacks. 5
6 The malware is going to try to connect to the C2 IP address and port number from the decrypted configuration. Upon successful connection, the malware registers itself with the C2 by sending information about the infected host. Some of the information includes output of the uname -sr command, number of CPU cores on the system, CPU speed, etc. 0x0818c0b0 : f r x0818c0c0 : 00 e x0818c0d0 : ac 10 6c 8c...l. 0x0818c0e0 : c0 a8 ac cf c0 a8 ac cf ac 10 6c 89 ac 10 6c 89...l...l. 0x0818c0f0 : ff ff d2 af d2 af 3a :... 0x0818c100 : f df c 69 6e Linux 0x0818c110 : 33 2e e 30 2d d e generi 0x0818c120 : a e c.1:g2.40. Figure 7: C2 registration packet The above payload consists of: IP address of the infected machine DNS Addresses Number of CPUs CPU Mhz derived from /proc/cpuinfo Total memory System kernel name and kernel version from uname -sr Static string, possibly malware version The C2 responds right away with a command for the bot. Some of the available commands are Start DDoS Attack, Stop DDoS Attack, and Execute Shell Command. An example payload for Start DDoS Attack includes the following data: : f Q : 00e V : d : : 000a xx xx2e xxxx : 2e31 332e a P.. Figure 8: C2 Start DDoS Attack packet The above payload consists of: Command for C2 to perform an attack Size of the rest of the payload Attack Type (In this case we have a SYN Flood) TCP Flags (In this case we have 02 for SYN) Number of targets Target IP in plain readable ASCII Following the IP in ASCII is the destination port address in hex 6
7 3.0 / DDOS ATTACK PAYLOADS / The DDoS Attacks most frequently observed are SYN and DNS Floods. Each of these attacks have their own distinguishable characteristics. Here is a sample SYN Flood: 14:16: IP xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx.80: Flags [S], seq : , win 60311, length 970 0x0000: f2 574f 4000 fc06 48ca xxxx xxxx E...WO@...H... 0x0010: xxxx xxxx d f 4f v.PE.OW... 0x0020: 5002 eb P...wg... 0x0030: x0040: x0050: <! ***** Redacted for space *****!> 0x03c0: x03d0: x03e0: x03f0: Figure 9: SYN Flood attack packet Every SYN packet consists of a 20-byte IP header, 20-byte TCP header, exactly 970 bytes of null padded payload, and no TCP header options. The TCP window size, sequence numbers, and TTL are all fully randomized. The malware has the ability to spoof the source IP address; however, some of the monitored attack campaigns did not use a spoofed source IP address. This is likely due to an inability to route spoofed traffic from the infected machine s network. 15:23: IP xxx.xxx.xxx.xxx > xxx.xxx.xxx.xxx.53: [1au] A? ghaxofybqxsmut.example.com. (55) 0x0000: fa bff xxxx xxxx E..R.3..4.;... 0x0010: xxxx xxxx 7f f e2ac >..V... 0x0020: e f ghaxofy 0x0030: f d 706c 6503 bqxsmut.example. 0x0040: 636f 6d com...)... 0x0050: Figure 10: DNS Flood attack packet In the example malformed query in Figure 10, we see a highly randomized subdomain being requested, which is represented in RED. This is the most distinguishable characteristic and enough to identify DNS attack traffic generated by the BillGates malware. 4.0 / OBSERVED CAMPAIGNS / Much like the XOR botnet, the BillGates botnet is also believed to be of Asian origin. The botnet appears to mostly target Asia-based organizations, focusing heavily on the gaming and entertainment industries. The attack campaigns observed on our network vary from several Gbps to hundreds of Gbps. Most of the campaigns observed include signatures from multiple types of malware and their associated botnets as well as BillGates. 7
8 Our most recently observed attack campaign, consisting only of traffic from the BillGates Malware in 2015, peaked around 6.5 Gbps achieving nearly 1 Million packets per second. Akamai Scrubbing Center Peak Gigabits per Second Peak Packets per Second Hong Kong 0.24 Gbps Kpps Virginia 2.0 Gbps Kpps San Jose 1.16 Gbps Kpps Frankfurt 2.54 Gbps Kpps London 0.45 Gbps Kpps Tokyo 0.83 Gbps Kpps Figure 11: Mitigated DDoS campaign measurements targeting an Akamai customer The biggest attack campaign observed, including malicious traffic from the BillGates botnet along with other various attack vectors, was on December 30, 2015 and had a well-distributed peak bandwidth of about 308 Gbps across our scrubbing centers. Akamai Scrubbing Center Peak Gigabits per Second Peak Packets per Second Hong Kong Gbps Mpps Virginia Gbps Mpps San Jose Gbps Mpps Frankfurt Gbps Mpps London Gbps Mpps Tokyo Gbps Mpps Figure 12: Largest observed attack that utilized BillGates 8
9 05:43: IP xx.xxx > xx.xxx : Flags [S], seq : , win 64713, length :43: IP xxx.xx > xx.xxx : Flags [S], seq : , win 64398, length :43: IP xxx.xx > xx.xxx : Flags [S], seq : , win 60240, length :43: IP xxx.xx > xx.xxx : Flags [S], seq : , win 61837, length :43: IP xxx.xxx > xx.xxx : Flags [S], seq : , win 60471, length :43: IP xxx.xx > xx.xxx : Flags [S], seq : , win 61554, length 970 Figure 13: Sample malicious packet from mitigated DDoS campaigns The BillGates malware has the ability to spoof the source address from infected machines; however, from our investigation we can confirm this is not commonly observed in the attack traffic, and the attacking source IPs are in fact the actual infected machines. This is likely due to an inability to route spoofed traffic from the infected host s network. 5.0 / INDICATORS OF BINARY INFECTION / First, check for the presence of the files gates.lod and moni.lod in your /tmp directory. If they exist, the content of gates.lod will be the process id of the main malware and the content of moni.lod is the process id of the process responsible for the safeguarding/persistence of the malware s primary process. $ ls -lha /tmp total 52K drwxrwxrwt 10 root root 4.0K Feb 10 18:17. drwxr-xr-x 22 root root 4.0K Dec 9 11:09.. -rwxr-xr-x 1 root root 4 Feb 9 15:48 gates.lod -rwxr-xr-x 1 root root 4 Feb 9 15:48 moni.lod $ cat /tmp/gates.lod $ cat /tmp/moni.lod Figure 14: Indication of Infection: PID files linked to infection We can see the associated malicious files of these processes. (Remember, don t use the ps utility from /bin because the original utility is substituted with a copy of the malware.) The original utility is in /usr/bin/dpkgd/ directory) $ cat /proc/13640/cmdline /usr/bin/.sshd $ cat /proc/13550/cmdline /home/user/desktop/billgates_variant Figure 15: Finding the execution path of the associated PID 9
10 Another indication is if you have the following startup scripts in your /etc/init.d/ directory. $ ls -la /etc/init.d/selinux -rwxr-xr-x 1 root root 36 Feb 4 15:48 /etc/init.d/selinux $ ls -la /etc/init.d/dbsecurityspt -rwxr-xr-x 1 root root 39 Feb 4 15:48 /etc/init.d/dbsecurityspt $ cat /etc/init.d/selinux #!/bin/bash /usr/bin/bsd-port/getty $ cat /etc/init.d/dbsecurityspt #!/bin/bash /home/user/desktop/billgates_variant Figure 16: Indication of infection: /etc/init.d startup scripts Consequently, there s going to be a symbolic link to these startup scripts for each run level in the /etc/rc[run-level-number].d/ directories. $ ls -la /etc/rc1.d/s99selinux lrwxrwxrwx 1 root root 19 Feb 4 15:48 /etc/rc1.d/s99selinux -> /etc/init.d/selinux $ ls -la /etc/rc1.d/s97dbsecurityspt lrwxrwxrwx 1 root root 25 Feb 4 15:48 /etc/rc1.d/s97dbsecurityspt -> /etc/init.d/dbsecurityspt $ ls -la /etc/rc2.d/s99selinux lrwxrwxrwx 1 root root 19 Feb 4 15:48 /etc/rc2.d/s99selinux -> /etc/init.d/selinux $ ls -la /etc/rc2.d/s97dbsecurityspt lrwxrwxrwx 1 root root 25 Feb 4 15:48 /etc/rc2.d/s97dbsecurityspt -> /etc/init.d/dbsecurityspt $ ls -la /etc/rc3.d/s99selinux lrwxrwxrwx 1 root root 19 Feb 4 15:48 /etc/rc3.d/s99selinux -> /etc/init.d/selinux $ ls -la /etc/rc3.d/s97dbsecurityspt lrwxrwxrwx 1 root root 25 Feb 4 15:48 /etc/rc3.d/s97dbsecurityspt -> /etc/init.d/dbsecurityspt $ ls -la /etc/rc4.d/s99selinux lrwxrwxrwx 1 root root 19 Feb 4 15:48 /etc/rc4.d/s99selinux -> /etc/init.d/selinux $ ls -la /etc/rc4.d/s97dbsecurityspt lrwxrwxrwx 1 root root 25 Feb 4 15:48 /etc/rc4.d/s97dbsecurityspt -> /etc/init.d/dbsecurityspt $ ls -la /etc/rc5.d/s99selinux lrwxrwxrwx 1 root root 19 Feb 4 15:48 /etc/rc5.d/s99selinux -> /etc/init.d/selinux $ ls -la /etc/rc5.d/s97dbsecurityspt lrwxrwxrwx 1 root root 25 Feb 4 15:48 /etc/rc5.d/s97dbsecurityspt -> /etc/init.d/dbsecurityspt Figure 17: Indications of Infection: symlinks to /etc/init.d/dbsecurityspt in /rcx.d/ directories We can check the hashes of the utility binaries ps, lsof, netstat, and ss and confirm they are identical to the other confirmed infections. 10
11 $ md5sum /bin/ps 22e2cda565a857b1d78414ce50ac074d /bin/ps $ md5sum /bin/ss 22e2cda565a857b1d78414ce50ac074d /bin/ss $ md5sum /bin/netstat 22e2cda565a857b1d78414ce50ac074d /bin/netstat $ md5sum /usr/bin/lsof 22e2cda565a857b1d78414ce50ac074d /usr/bin/lsof $ md5sum /usr/bin/.sshd 22e2cda565a857b1d78414ce50ac074d /usr/bin/.sshd $ md5sum /home/user/desktop/billgates_variant 22e2cda565a857b1d78414ce50ac074d /home/user/desktop/billgates_variant $ md5sum /usr/bin/bsd-port/getty 22e2cda565a857b1d78414ce50ac074d /usr/bin/bsd-port/getty Figure 18: Indication of Infection: Hashes of infected files and core system tools As you can see, the hashes are identical for all binaries, meaning the malware has successfully replaced these core system tools with copies of itself. To disinfect your system, first kill the primary process id found in the file /tmp/moni. lod. By killing this safe-guarding process first, we ensure the malware will not restart itself when we kill the main process. Next, kill the process id found in the file /tmp/gates. lod. As a third step, we have to kill the process id found in the file /usr/bin/bsdport/getty.lock. $ cat /tmp/moni.lod $ sudo kill $ cat /tmp/gates.lod $ sudo kill $ cat /usr/bin/bsd-port/getty.lock $ sudo kill Figure 19: Killing the BillGates processes in order to disinfect the machine As a final step, we have to delete all copies of the malware and startup scripts. $ rm -rf /tmp/moni.lod /tmp/gates.lod /etc/init.d/selinux /etc/init.d/dbsecurityspt /etc/rc1.d/s97dbsecurityspt /etc/rc1.d/s99selinux /etc/rc2.d/s97dbsecurityspt /etc/rc2.d/s99selinux /etc/rc3.d/s97dbsecurityspt /etc/rc3.d/s99selinux /etc/rc4.d/s97dbsecurityspt /etc/rc4.d/s99selinux /etc/rc5.d/s97dbsecurityspt /etc/rc5.d/s99selinux /usr/bin/bsd-port/ /usr/bin/lsof /bin/ps /bin/ss /bin/netstat Figure 20: Removing malware and associated persistence measures 11
12 6.0 / RECOMMENDED DETECTION METHODS / The following steps are designed to assist organizations in identifying the BillGates malware on systems. 6.1 / DETECTING NETWORK TRAFFIC / To detect the network traffic from the initial communication bot to C2, we can use the following tcpdump filters: tcp[((tcp[12] >> 4) << 2):4] == 0x and ip[(ip[2:2] - 7):2] == 0x3a47 Figure 21: Tcpdump filter that can be used to find BillGates C2 communications This filter is of two parts. The first part is looking within the first 4 bytes of the payload for the bytes 0x , which are found in the register command. The second part is looking for the ASCII :G and counting 7 bytes backwards from the end of the payload. Part 1: tcp[((tcp[12] >> 4) << 2):4] == 0x Part 2: ip[(ip[2:2] - 7):2] == 0x3a47 To capture the heartbeat from the C2 to the bot, there are many parts of the packet that change and could generate false positives and false negatives. This filter is a bit more involved to prevent false hits. tcp[((tcp[12] >> 4) << 2):4] == 0x and ((tcp[((tcp[12] >> 4) << 2) + 4:1]) + ((tcp[12] >> 4)<<2) + 8) + ((ip[0] & 0xf) << 2) == ip[2:2] Figure 22: Tcpdump filter that can be used to find BillGates C2 heartbeats This filter is based on two parts as well. The first part is detecting the command from the C2 within the first 4 bytes of the tcp payload. The second part is calculating the size of the payload based on the command issued. It sums the size of the IP Header s length + TCP Header s length + size of payload, as instructed by the C2 + 8, which needs to match the IP header s total packet length. Part 1: tcp[((tcp[12] >> 4) << 2):4] == 0x Part 2: ((tcp[((tcp[12] >> 4) << 2) + 4:1]) + ((tcp[12] >> 4)<<2) + 8) + ((ip[0] & 0xf) << 2) == ip[2:2] 12
13 [state of the internet] / Threat Advisory: New Reflector [state of the internet] / SECURITY / THREAT ADVISORY 6.2 / YARA RULES FOR DETECTING INFECTION / There are pre-existing rules for detecting the BillGates malware from the Yara community. However, just for good measure, we built another additional rule that can be used. rule BillGatesv1 { meta: author = Akamai SIRT description = Rule to detect BillGates infection strings: $st0 = xpacket.ko $st1 = libamplify.so $st2 = 12CUpdateGates $st3 = 11CUpdateBill $st4 = 10CTcpAttack $st5 = 10CAttackDns $st6 = 10CAttackAmp condition: all of them } Figure 23: Yara rule used to identify BillGates malware 7.0 / CONCLUSION / The BillGates malware is capable of launching Layer 3/4- and Layer 7-based DDoS attacks. BillGates botnets have grown significantly and are large enough to launch Gbps of attack traffic independently but are also used in conjunction with other DDoS frameworks. They appear to attack the same target industries as botnets built using the XOR malware and are very active in targeting Asia-based companies and their digital properties. There is a possibility that after the takedown of XOR botnet, the malware actors began using different means and/or different botnets to continue their onslaught of attacks directed at the same primary group of targets. This awareness of activity observed by Akamai over the last 6 months has warranted the release of this advisory. Disclaimer: The malware was named after Microsoft s former CEO, Bill Gates based on the fact that it targets Linux machines instead of Windows. However, the malware is not affiliated in any way with Microsoft Corporation or the Founder, Bill Gates. About Akamai Security Intelligence Research Team (SIRT) Focuses on mitigating malicious global cyber threats and vulnerabilities, the Akamai Security Intelligence Research Team (SIRT) conducts and shares digital forensics and post-event analysis with the security community to proactively protect against threats and attacks. As part of its mission, the Akamai SIRT maintains close contact with peer organizations around the world and trains Akamai s Professional Services and Customer Care teams to both recognize and counter attacks from a wide range of adversaries. The research performed by the Akamai SIRT is intended to help ensure Akamai s cloud security products are best of breed and can protect against any of the latest threats impacting the industry. About Akamai As the global leader in Content Delivery Network (cdn) services, Akamai makes the Internet fast, reliable and secure for its customers. The company s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit or blogs.akamai.com, and on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 03/16. 13
[ X OR DDoS T h r e a t A d v i sory] akamai.com
[ X OR DDoS T h r e a t A d v i sory] akamai.com What is the XOR DDoS threat The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps The gaming sector has been the primary target, followed
More informationDNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory
GSI ID: 1065 DNS FLOODER V1.1 RISK FACTOR - HIGH 1.1 OVERVIEW / PLXSert has observed the release and rapid deployment of a new DNS reflection toolkit for distributed denial of service (DDoS) attacks. The
More information[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS
TLP: GREEN Issue Date: 2015.10.28 Risk Factor- Medium Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS 1.0 / OVERVIEW / In the third quarter of 2015, Akamai mitigated and
More informationThe server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.
1 TLP: GREEN 02.11.15 GSI ID: 1086 SECURITY BULLETIN: MS SQL REFLECTION DDOS RISK FACTOR - MEDIUM 1.1 / OVERVIEW / Beginning in October 2014, PLXsert observed the use of a new type of reflection-based
More informationNTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS
GSI ID: 1070 NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS RISK FACTOR - HIGH 1.1 OVERVIEW / Amplification is not a new distributed denial of service (DDoS) attack method, nor is the misuse of the Network
More informationJOOMLA REFLECTION DDOS-FOR-HIRE
1 TLP: GREEN GSI ID: 1085 JOOMLA REFLECTION DDOS-FOR-HIRE RISK FACTOR - HIGH 1.1 / OVERVIEW / Following a series of vulnerability disclosures throughout 2014, the popular content management framework Joomla
More informationSSDP REFLECTION DDOS ATTACKS
TLP: AMBER GSI ID: 1079 SSDP REFLECTION DDOS ATTACKS RISK FACTOR - HIGH 1.1 OVERVIEW / PLXsert has observed the use of a new reflection and amplification distributed denial of service (DDoS) attack that
More information[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks
TLP: GREEN Issue Date: 1.12.16 Threat Advisory: Continuous Uptick in SEO Attacks Risk Factor High The Akamai Threat Research Team has identified a highly sophisticated Search Engine Optimization (SEO)
More informationThreat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS
Classification: TLP-GREEN RISK LEVEL: MEDIUM Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS Release Date: 6.1.16 1.0 / OVERVIEW / Akamai SIRT is investigating a new DDoS reflection
More informationIptabLes/IptabLex DDoS Bots
IptabLes/IptabLex DDoS Bots TLP - GREEN GSI ID: 1077 Risk Factor - High OVERVIEW During Q2 2014, Akamai s Prolexic Security Engineering and Research Team (PLXsert) detected and measured distributed denial
More informationRadware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid
Reverse Engineering a Sophisticated DDoS Attack Bot Author: Zeev Ravid July 2015 Introduction In July 2015, Radware s Emergency Response Team (ERT) noticed a significant increased usage of the Tsunami
More informationAccount Checkers and Fraud
kamai Technologies Inc. Account Checkers and Fraud Carders in Action VERSION: 2013-0005-G Table of Contents Executive Summary... 2 Observed Behavior... 2 Attacker Tactics, Techniques and Procedures...
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationakamai s [state of the internet] Q 3 2015 executive review
akamai s [state of the internet] Q 3 2015 executive review about the review / Akamai, the world s leading content delivery network (CDN) provider, uses its globally distributed Intelligent Platform TM
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationHow To Mitigate A Ddos Attack
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5
More informationSpike DDoS Toolkit OVERVIEW INDICATORS OF BINARY INFECTION. TLP: GREEN GSI ID: 1078 Risk Factor - High
Spike DDoS Toolkit TLP: GREEN GSI ID: 1078 Risk Factor - High OVERVIEW In 2014, PLXsert has observed a trend in new distributed denial of service (DDoS) malware originating from Asia. These binaries have
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationAKAMAI WHITE PAPER. Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling
AKAMAI WHITE PAPER Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling Delivering Dynamic Web Content in Cloud Computing Applications 1 Overview
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationHIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security
HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security HIMSS Survey Uncovers Critical Weaknesses in Hospital Web Security 2 HIMSS Analytics, in partnership with Akamai, recently conducted a
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationHow To Block A Ddos Attack On A Network With A Firewall
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
More informationChinese Chicken: Multiplatform DDoS botnets
Chinese Chicken: Multiplatform DDoS botnets Peter Kálnai @pkalnai Jaromír Hořejší @JaromirHorejsi Dec 3 nd Dec 5 th 2014 Nancy, France Outline Timeline (+References) Binaries, common characteristics Advertisements
More informationShellshock. Oz Elisyan & Maxim Zavodchik
Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable
More informationDDoS Vulnerability Analysis of Bittorrent Protocol
DDoS Vulnerability Analysis of Bittorrent Protocol Ka Cheung Sia kcsia@cs.ucla.edu Abstract Bittorrent (BT) traffic had been reported to contribute to 3% of the Internet traffic nowadays and the number
More informationVALIDATING DDoS THREAT PROTECTION
VALIDATING DDoS THREAT PROTECTION Ensure your DDoS Solution Works in Real-World Conditions WHITE PAPER Executive Summary This white paper is for security and networking professionals who are looking to
More informationIP Application Security Manager and. VMware vcloud Air
Securing Web Applications with F5 BIG- IP Application Security Manager and VMware vcloud Air D E P L O Y M E N T G U I D E Securing Web Applications Migrating application workloads to the public cloud
More informationLoad Balancing Security Gateways WHITE PAPER
Load Balancing Security Gateways WHITE PAPER Table of Contents Acceleration and Optimization... 4 High Performance DDoS Protection... 4 Web Application Firewall... 5 DNS Application Firewall... 5 SSL Insight...
More informationProtect your network: planning for (DDoS), Distributed Denial of Service attacks
Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product
More informationWeb Application Vulnerability Scanner: Skipfish
Web Application Vulnerability Scanner: Skipfish Page 1 of 7 EXECUTIVE SUMMARY Skipfish is an automated web application vulnerability scanner available for free download at Google s code website. It is
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationContext Threat Intelligence
Context Threat Intelligence Threat Advisory The Monju Incident Context Ref. Author TA10009 Context Threat Intelligence (CTI) Date 27/01/2014 Tel +44 (0) 20 7537 7515 Fax +44 (0) 20 7537 1071 Email threat@contextis.co.uk
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationReducing the impact of DoS attacks with MikroTik RouterOS
Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP
More informationHow to Evaluate DDoS Mitigation Providers:
Akamai White Paper How to Evaluate DDoS Mitigation Providers: Four Critical Criteria How to Evaluate DDoS Mitigation Providers 2 TABLE OF CONTENTS INTRODUCTION 3 CRITERIA #1: THREAT INTELLIGENCE 3 CRITERIA
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationStop DDoS Attacks in Minutes
PREVENTIA Forward Thinking Security Solutions Stop DDoS Attacks in Minutes 1 On average there are more than 7,000 DDoS attacks observed daily. You ve seen the headlines. Distributed Denial of Service (DDoS)
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationSecurity Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?
Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? This paper presents a scenario in which an attacker attempts to hack into the internal network
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationProlexic Quarterly Global DDoS Attack Report Q4 2012
Prolexic Quarterly Global DDoS Attack Report Q4 2012 Q4 2012 was defined by the increasing scale and diversity of DDoS attacks as well as the enduring nature of botnets. Analysis and emerging trends At
More informationAKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.
CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE. Threat > The number and size of cyberattacks are increasing rapidly Website availability and rapid performance are critical factors in determining the success
More informationDDoS Attacks & Mitigation
DDoS Attacks & Mitigation Sang Young Security Consultant ws.young@stshk.com 1 DoS Attack DoS & DDoS an attack render a target unusable by legitimate users DDoS Attack launch the DoS attacks from various
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationThis document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons
This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider
More informationWolfr am Lightweight Grid M TM anager USER GUIDE
Wolfram Lightweight Grid TM Manager USER GUIDE For use with Wolfram Mathematica 7.0 and later. For the latest updates and corrections to this manual: visit reference.wolfram.com For information on additional
More informationStorm Worm & Botnet Analysis
Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationAKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry
AKAMAI WHITE PAPER The Challenges of Connecting Globally in the Pharmaceutical Industry The Challenges of Connecting Globally in the Pharmaceutical Industry TABLE OF CONTENTS EXECUTIVE SUMMARY 1 GLOBAL
More informationTHE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! AKAMAI 10For10 AKAMAI INDUSTRY BROCHURE
AKAMAI 10For10 THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! Whether delivering web applications from behind the firewall, hosting in the cloud,
More informationDDoS Protecion Total AnnihilationD. DDoS Mitigation Lab
DDoS Protecion Total AnnihilationD A Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building
More informationHow To Protect A Dns Authority Server From A Flood Attack
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationCERT Seminar March, 2010
CERT Seminar March, 2010 Presenter: Paul Sop, Chief Technology Officer These materials may not be used or relied upon in any way other than under a written agreement with Prolexic Technologies Agenda -
More informationIntroduction to Operating Systems
Introduction to Operating Systems It is important that you familiarize yourself with Windows and Linux in preparation for this course. The exercises in this book assume a basic knowledge of both of these
More informationHTTPS is Fast and Hassle-free with CloudFlare
HTTPS is Fast and Hassle-free with CloudFlare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their
More informationTrend Micro Incorporated Research Paper 2012. Adding Android and Mac OS X Malware to the APT Toolbox
Trend Micro Incorporated Research Paper 2012 Adding Android and Mac OS X Malware to the APT Toolbox Contents Abstract... 1 Introduction... 1 Technical Analysis... 2 Remote Access Trojan Functionality...
More informationIPsec Details 1 / 43. IPsec Details
Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS
More informationERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013
Attacks on Large US Bank During Operation Ababil March 2013 Table of Contents Executive Summary... 3 Background: Operation Ababil... 3 Servers Enlisted to Launch the Attack... 3 Attack Vectors... 4 Variations
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationImplementing Secure Converged Wide Area Networks (ISCW)
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet
More informationGuidance Regarding Skype and Other P2P VoIP Solutions
Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,
More informationEE984 Laboratory Experiment 2: Protocol Analysis
EE984 Laboratory Experiment 2: Protocol Analysis Abstract This experiment provides an introduction to protocols used in computer communications. The equipment used comprises of four PCs connected via a
More informationERNW Newsletter 51 / September 2015
ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationZend Server Amazon AMI Quick Start Guide
Zend Server Amazon AMI Quick Start Guide By Zend Technologies www.zend.com Disclaimer This is the Quick Start Guide for The Zend Server Zend Server Amazon Machine Image The information in this document
More informationSecure Content Delivery Network
kamai Technologies Inc. Secure Content Delivery Network Physical Access Information May 13, 2014 Table of Contents Purpose... 2 Risk Analysis... 2 Physical Access... 2 Issue/Response... 3 Records... 4
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More information2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative
2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago,
More informationThis report is a detailed analysis of the dropper and the payload of the HIMAN malware.
PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware
More informationStateful Firewalls. Hank and Foo
Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation
More informationFirewalls, NAT and Intrusion Detection and Prevention Systems (IDS)
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan
More informationAvailability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013
the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered
More informationUncovering secret connections among attackers by using network theory and custom honeypots
Uncovering secret connections among attackers by using network theory and custom honeypots Pedram Hayati (PhD) Security Dimension (SecDim) pedram@secdim.com 28 May 2015 Tl;dr By using a number of custom
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationRevealing Botnets Using Network Traffic Statistics
Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda vojtec}@ics.muni.cz, radek.krejci@mail.muni.cz Security and Protection of Information 2011, 10-12 May 2011, Brno,
More informationHow Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?
PowerConnect Application Note #12 February 2004 How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches? This Application Notes relates to the following Dell PowerConnect products: PowerConnect
More informationSTATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015
STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 www.kaspersky.com 2 CONTENTS Methodology 3 Main findings 4 Geography of attacks 5 Time variations in the number of DDoS attacks 7 Types and duration
More informationProject 2: Firewall Design (Phase I)
Project 2: Firewall Design (Phase I) CS 161 - Joseph/Tygar November 12, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
More informationCloud Security In Your Contingency Plans
Cloud Security In Your Contingency Plans Jerry Lock Security Sales Lead, Greater China Contingency Plans Avoid data theft and downtime by extending the security perimeter outside the data-center and protect
More informationCSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks
CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic
More informationLinux MPS Firewall Supplement
Linux MPS Firewall Supplement First Edition April 2007 Table of Contents Introduction...1 Two Options for Building a Firewall...2 Overview of the iptables Command-Line Utility...2 Overview of the set_fwlevel
More informationNetwork Security. Mobin Javed. October 5, 2011
Network Security Mobin Javed October 5, 2011 In this class, we mainly had discussion on threat models w.r.t the class reading, BGP security and defenses against TCP connection hijacking attacks. 1 Takeaways
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationMan, Machine and DDoS Mitigation
Man, Machine and DDoS Mitigation The case for human cyber security expertise Automated DDoS mitigation poses risks Distributed denial of service (DDoS) attacks can overwhelm DDoS appliances Today s DDoS
More informationMalware Analysis Quiz 6
Malware Analysis Quiz 6 1. Are these files packed? If so, which packer? The file is not packed, as running the command strings shelll reveals a number of interesting character sequences, such as: irc.ircnet.net
More informationRise of the Machines: An Internet-Wide Analysis of Web Bots in 2014
SESSION ID: SPO2-W04 Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014 John Summers VP, Security Products Akamai #RSAC The Akamai Intelligent Platform The Platform 167,000+ Servers 2,300+
More informationPowerChute TM Network Shutdown Security Features & Deployment
PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network
More informationHow To Stop A Ddos Attack On A Website From Being Successful
White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationAlert (TA14-212A) Backoff Point-of-Sale Malware
Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity
More informationStrategies to Protect Against Distributed Denial of Service (DDoS) Attacks
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationNetwork Monitoring Tool to Identify Malware Infected Computers
Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas
More informationHost Discovery with nmap
Host Discovery with nmap By: Mark Wolfgang moonpie@moonpie.org November 2002 Table of Contents Host Discovery with nmap... 1 1. Introduction... 3 1.1 What is Host Discovery?... 4 2. Exploring nmap s Default
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More information